Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keep App Session secrets secret #39853

Merged
merged 11 commits into from
Mar 29, 2024
Merged

Keep App Session secrets secret #39853

merged 11 commits into from
Mar 29, 2024

Conversation

Joerger
Copy link
Contributor

@Joerger Joerger commented Mar 26, 2024
edited
Loading

This PR updates App Session endpoints to keep App Session secrets secret to the user. These secrets are only needed by the Proxy Service to create connections to App Services on behalf of the clients. Giving the clients access to these secrets can lead to degraded security, especially with Per-session MFA and Hardware Key support.

The only client consumer of App Session secrets before this PR was tsh proxy azure, which uses the app session private key to sign a JWT token auth header. This Auth header would pass through the proxy and get validated by the App Service.

With this change, the client instead signs a JWT token with its own private key. The Proxy checks the header, verifies it with the client public key, and resigns it with the app session key. Finally, the App Service verifies and parses the JWT token with the app session public key.

Related #39588

@Joerger
Copy link
Contributor Author

Joerger commented Mar 26, 2024

@jentfoo If you get a chance can you let me know what you think about the tsh proxy azure changes? The change is summarized above.

Do you think there are any security implications to re-signing the JWT? An alternative solution would be for the Proxy service to pass the client's public key in an additional request header so that the App Service can verify the original client-signed JWT.

@Tener
Copy link
Contributor

Tener commented Mar 26, 2024

The overall idea sounds good to me; I'll take a look at actual code ~tomorrow.

Tener
Tener reviewed Mar 27, 2024
View reviewed changes
lib/web/app/handler.go Outdated Show resolved Hide resolved
lib/auth/auth_with_roles.go Show resolved Hide resolved
lib/auth/auth_with_roles.go Outdated Show resolved Hide resolved
lib/web/app/handler.go Outdated Show resolved Hide resolved
tool/tsh/common/app_azure.go Outdated Show resolved Hide resolved
jentfoo
jentfoo approved these changes Mar 27, 2024
View reviewed changes
Copy link
Contributor

@jentfoo jentfoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like an improvement to me

An alternative solution would be for the Proxy service to pass the client's public key in an additional request header so that the App Service can verify the original client-signed JWT

I don't believe this would add any additional security. Ultimately you would still be reliant on what the proxy provides. So I think having the signature done by the proxy is more explicit and likely safer.

@Joerger Joerger force-pushed the joerger/protect-app-session-secrets branch from 908efa0 to 29f14fb Compare March 27, 2024 23:45
@Joerger Joerger requested a review from Tener March 27, 2024 23:45
@Joerger Joerger marked this pull request as ready for review March 27, 2024 23:45
@github-actions GitHub Actions
Copy link

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@github-actions github-actions bot requested review from rudream and smallinsky March 27, 2024 23:46
@github-actions github-actions bot added size/md tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Mar 27, 2024
@github-actions GitHub Actions
Copy link

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@Joerger Joerger added the no-changelog Indicates that a PR does not require a changelog entry label Mar 27, 2024
rosstimothy
rosstimothy approved these changes Mar 28, 2024
View reviewed changes
lib/web/app/handler.go Outdated Show resolved Hide resolved
lib/web/app/handler_test.go Outdated Show resolved Hide resolved
lib/web/app/transport.go Outdated Show resolved Hide resolved
lib/web/app/transport.go Outdated Show resolved Hide resolved
@Joerger Joerger enabled auto-merge March 28, 2024 17:31
@Joerger Joerger force-pushed the joerger/protect-app-session-secrets branch from 2242561 to eb33d91 Compare March 28, 2024 19:28
@Joerger Joerger mentioned this pull request Mar 29, 2024
Merged
@Joerger Joerger force-pushed the joerger/protect-app-session-secrets branch from eb33d91 to f4cd315 Compare March 29, 2024 00:03
@Joerger
Copy link
Contributor Author

Joerger commented Mar 29, 2024

@zmb3 @r0mant can I please get an /excludeflake *?

@r0mant
Copy link
Collaborator

r0mant commented Mar 29, 2024

/excludeflake *

@Joerger Joerger added this pull request to the merge queue Mar 29, 2024
Merged via the queue into master with commit 4690eea Mar 29, 2024
35 checks passed
@Joerger Joerger deleted the joerger/protect-app-session-secrets branch March 29, 2024 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

@jentfoo jentfoo jentfoo approved these changes

@Tener Tener Tener approved these changes

Assignees
No one assigned
Labels
no-changelog Indicates that a PR does not require a changelog entry size/md tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Joerger @Tener @r0mant @jentfoo @rosstimothy